{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68822", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T10:30:51.048Z", "datePublished": "2026-01-13T15:29:24.703Z", "dateUpdated": "2026-05-11T21:53:59.491Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:53:59.491Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path) | CPU 1 (delayed work)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USE\n | priv->dev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/input/mouse/alps.c"], "versions": [{"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794", "lessThan": "ed8c61b89be0c45f029228b2913d5cf7b5cda1a7", "status": "affected", "versionType": "git"}, {"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794", "lessThan": "a9c115e017b2c633d25bdfe6709dda6fc36f08c2", "status": "affected", "versionType": "git"}, {"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794", "lessThan": "bf40644ef8c8a288742fa45580897ed0e0289474", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/input/mouse/alps.c"], "versions": [{"version": "4.0", "status": "affected"}, {"version": "0", "lessThan": "4.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.64", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.3", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.12.64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.18.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7"}, {"url": "https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2"}, {"url": "https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474"}], "title": "Input: alps - fix use-after-free bugs caused by dev3_register_work", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path) | CPU 1 (delayed work)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USE\n | priv->dev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nEntrada: alps - corrige errores de uso despu\u00e9s de liberaci\u00f3n causados por dev3_register_work\n\nEl elemento de trabajo retrasado dev3_register_work se inicializa dentro de alps_reconnect() y se programa al recibir el primer paquete PS/2 'bare' de un dispositivo PS/2 externo conectado al touchpad ALPS. Durante la desconexi\u00f3n del dispositivo, la implementaci\u00f3n original llama a flush_workqueue() en psmouse_disconnect() para asegurar la finalizaci\u00f3n de dev3_register_work. Sin embargo, la flush_workqueue() en psmouse_disconnect() solo bloquea y espera por elementos de trabajo que ya estaban en cola en la workqueue antes de su invocaci\u00f3n. Cualquier elemento de trabajo enviado despu\u00e9s de que se llama a flush_workqueue() no se incluye en el conjunto de tareas que la operaci\u00f3n de 'flush' espera. Esto significa que despu\u00e9s de que flush_workqueue() ha terminado de ejecutarse, el dev3_register_work a\u00fan podr\u00eda programarse. Aunque el estado de psmouse se establece en PSMOUSE_CMD_MODE en psmouse_disconnect(), la programaci\u00f3n de dev3_register_work permanece inalterada.\n\nLa condici\u00f3n de carrera puede ocurrir de la siguiente manera:\n\nCPU 0 (ruta de limpieza) | CPU 1 (trabajo retrasado)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // LIBERAR | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USAR\n | priv->dev3 // USAR\n\nA\u00f1adir disable_delayed_work_sync() en alps_disconnect() para asegurar que dev3_register_work se cancele correctamente y se impida su ejecuci\u00f3n despu\u00e9s de que la estructura alps_data haya sido desasignada.\n\nEste error es identificado por an\u00e1lisis est\u00e1tico."}], "id": "CVE-2025-68822", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-01-13T16:16:04.550", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: Input: alps - fix use-after-free bugs caused by dev3_register_work", "id": "2429053", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429053"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nInput: alps - fix use-after-free bugs caused by dev3_register_work\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\nThe race condition can occur as follows:\nCPU 0 (cleanup path) | CPU 1 (delayed work)\npsmouse_disconnect() |\npsmouse_set_state() |\nflush_workqueue() | alps_report_bare_ps2_packet()\nalps_disconnect() | psmouse_queue_work()\nkfree(priv); // FREE | alps_register_bare_ps2_mouse()\n| priv = container_of(work...); // USE\n| priv->dev3 // USE\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\nThis bug is identified by static analysis."], "name": "CVE-2025-68822", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68822\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68822\nhttps://lore.kernel.org/linux-cve-announce/2026011315-CVE-2025-68822-a75d@gregkh/T"], "threat_severity": "Low"}

{}